When will Sonos put additional security measures in place?

  • 1 November 2016
  • 78 replies
  • 4852 views

Badge +1
Today a read an article (https://www.ncsc.nl/actueel/nieuwsberichten/iot-botnets-veroorzakers-nieuwste-ddos-aanvallen.html for those able to read dutch) in which the dutch Nationaal Cyber Security Center (NCSC) is taken steps to track down security issue's of home used Internet of things devices.
So my question is wether Sonos will step up to the plate.

Far as I know the only counter-measure in getting access to any Sonos product is the locally used WiFi SSID-name / password.

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

78 replies

As I thought, he's posting here to be a complete pain in the butt. Time for an ignore feature, for both users and threads. Too bad InSided is so bad.
+1 for an ignore feature.
Badge +1
As I thought, he's posting here to be a complete pain in the butt. Time for an ignore feature, for both users and threads. Too bad InSider is so bad.

I would love a feature for ignoring certain posters. It would be a good suggestion and you have my vote for having it added to the forum as an added feature as soon as possible.

Frankly though IF I were Sonos I would not implement it unless it is an already free feature which was part of the forumpackage but one that had not been tagged yet for functionality. Remember anything not free is an impact on profits made.
A commercial company will most likely only support services when they do not come at a negative cost in general.

I again IF I were Sonos would just advice posters in general to ignore unwanted threads and just not post in those threads. Even more so if you would want to ignore the poster in question. I also would ask the moderators to step in if threads go south.

Up till now I have made concerns I have public which I believe should be improved.
I also asked about their future plans on supporting their hardware/firmware/software.
I think everyone is quite aware of your self-styled purpose here. Trust me, there's no need to clarify.
Userlevel 6
Badge +15
They're not especially accurate either. The ports mentioned are not open, for TCP at least. And UDP port scans are notorious for yielding false positives.

Besides, why are we even discussing it? These are ports on a private network.


Speaking as a security professional, private networks are not a security failsafe, they are merely a layer. There's a reason why most successful attacks nowadays are against clients - because we've spent many years hammering at firewalls, routers, IDSs and WAFs, and consequently most of the easy attacks from the outside have been found and accounted for. Attackers have moved to the softer, weaker, client machines, especially residential and consumer systems, because these are often less protected.

If your browser is susceptible to cross-site scripting, it's entirely possible for you to browse a site, download a script that runs in your browser to attack internal systems from a trusted internal network. This attack is not a theory or PoC, it's been effectively used in the real world already to modify routers to allow remote WAN access to the management pages, so it could certainly be used to access SONOS devices' internally accessible ports.

So, say it works - I shoot you a script, you view it your browser and it connects to your player's reboot URL and reboots your speaker. Hmm, cool, DoS! But just getting access to the page means I can try sending other things - buffer overflows, format string attacks, etc. Maybe right now all I've got is an annoying DoS - can I create something else?

Now, OTOH, also speaking as a security professional: security for anything, cyber, personnel, physical, is a risk management exercise. What could happen, what is the likelihood, what is the potential impact? Am I a target of opportunity (commodity) or a specific person of value? If I'm just a normal home user (or device commonly used at home), there are likely many, many, many more devices that are less secure and easier to craft an exploit for than SONOS. In that case, SONOS doesn't have to outrun the bear, just every other IoT device. If I'm a specific entity of value to a certain attacker, then I have to up my game, so to speak. So, for the average SONOS users, how high is their risk - pretty low in my estimation. But SONOS in a corporate environment? I wouldn't connect it to the same LAN as my database server or credit card readers, KWIM?

/ now feel like going home today and experimenting with the various pages and ports and XSS
Badge +1
As mentioned earlier in this thread I was able to download the *.upd file without any issue's from Sonos update server (global server?) ... over http. I just had to read out the info already available within the "Status-pages".
Think I did read an article a bit back where Microsoft was told to to up their update policies by making sure their updates should only be available over https.

Guess Sonos might want to follow if their want to be a "responsible" manufacture.
(Granted Sonos is no Microsoft but still.)

Time will tell?
Userlevel 4
[quote=jgatie]You would have to duplicate the entire functionality of the Sonos firmware, add in your own mic monitoring functions, break into the individual Sonos units in the home (or substitute your firmware for the version at the Sonos servers, highly unlikely), somehow initiate an update of your own firmware, then you would be able to access the microphones. Compare this with simply breaking into laptop via telnet/ftp and loading a background app and you see why a hacker is going to pick an easier target.

This is a typical head-in-the-sand fallacy. "I can't imagine how it would be easy, so it must be hard and/or unlikely". Guess what though, all hackers love a challenge.

But they wouldn't even have to reimplement the firmware, just hijack it, and then package the hijack as a product for sale to security agencies and/or hacking teams. There are clusters of firms specialising in this stuff, it's a big industry.

Bear in mind, Sonos use off-the-shelf integrated circuits for many components; the underlying OS is clearly a Linux derivative and they won't be reinventing the kernel drivers except possibly for special-sauce elements like their DSPs.

This isn't rocket science, it's just computer programming, and there are hundreds of thousands of people already capable of what you described. For some of them, developing and selling pre-packaged hacking tools is simply the day job.
Badge +1
Well, in the end Sonos is mentioned in this very article basically confirming my findings/concerns.

http://blog.trendmicro.com/trendlabs-security-intelligence/iot-devices-need-better-builtin-security/

Good job, Sonos.
Userlevel 7
Badge +22
Making a personal Sonos clone might be a fun project and I can see several ways to go there.

Making a commercial Sonos clone, I believe is not just an engineering issue but also a patent law problem.
Userlevel 7
Badge +21
Well, in the end Sonos is mentioned in this very article basically confirming my findings/concerns.

Good job, Sonos.

That article is mistaking a tiny number of Sonos users (around 5,000 worldwide, out of millions of Sonos customers) who have horribly misconfigured networks for a security issue of the device manufacturer. These are people that are either forwarding a port on their router to one or more of their Sonos devices, or have firewall rules that are allowing traffic from the internet directly into their network, with the result being that the Sonos device is able to be accessed from the internet.

Sonos' resulting software update has removed lots of technical and otherwise useful information that advanced Sonos users relied on for information about their systems because a small fraction of users screwed up and left their devices accessible to the internet.

Maybe there's something Sonos could do to prevent devices that aren't connected to the local network from being able to control the speakers... but now you're making changes that are affecting legitimate users who maintain multiple networks and want to be able to control their Sonos devices on one network from their phone or computer on another network.
Confirming that there are a tiny fraction of Sonos users who are so ignorant of even basic network security (and yet they willfully turn off default security meant to protect the ignorant), and because of these idiots, we all lose some very valuable diagnostic tools? Yeah, good job CaptainLeonidas_Sonos. It's tinfoil hat posts like yours that led to us losing these tools.
Badge +1
Just get it done Sonos and update like I suggested you should have in the first place. Btw the Internet has lots of stuff cached. So good luck with that. Shame really...

I do still use a Play:1 but i made provisions to avoid the leaks mentioned.
Badge +1
Guess basic security thinking breaks your tools equals update your skillset for once?
Ouch no wonder database administrator just hate masks....

And while I am at it.. A proper Windows store app? The current Windows client feels.... Well so last century.
Userlevel 5
Badge +1
Guess basic security thinking breaks your tools equals update your skillset for once?
Ouch no wonder database administrator just hate masks....


The resident expert blames you and your post for losing access to the diagnostic pages. LOL dude it's totally your fault thanks a lot those 5k+ other Sonos customers be damned.
Badge +1
Blane the Messenger, sure sure.

Frankly I was surprised TrendMicro did come out with the results like I saw coming.
Anyway, make no mistake I will not back down on obvious security flaws if I see them or when they might be of revelenace.

I would look to Sonos instead for more secure ways to get access to diagnotics and what not.
IoT security issues are becoming more of a hotitem like it or not.
Badge +1
http://resources.infosecinstitute.com/differences-privacy-laws-in-eu-and-us/ might be a start why I not a fan of leakage in IoT in general.
Dear Captain,

You don’t have a clue. Please go away now.

Thank you,
The clued in
Badge +1
Not going anywhere unless I get ld by one of the known.You are not one of them.

Thank you
The Captain.....

Sigh....
Badge +1
Hmm, seems the post was made but not on my screen.
Hence the multi postings

To the admins feel free to remove the excess of posts.
(Perhaps an idea to add a delete button dear Sonos so you can remove a post?)
Badge +1
Anywhy,

@Chicks you have the option to enlighten me with your pearls of wisedom. The "Reply"-field is all yours.

And Sonos can PM me with relevent info or debunk me on this forum (frankly I would like that as it would restore my faith in them all together).
Yet I have not seen one PM or a post by a Sonos representative.
Badge +1
Funny how now Sonos is patching it's product next month. Though weird I am clueless and made a post way back when and I was the deadbeat.

Well enjoy.
https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
Userlevel 7
Badge +21
This DNS rebinding "attack" (it's not really an attack, it's taking advantage of common device hostnames and using cross-site scripting methods to access local network devices) was just recently found a couple of weeks ago... oh, and it also affects Chromecast and other devices as well, so Sonos definitely isn't alone in having the issue. But they've acknowledged it and have plans to fix it.

Once again, the most an attacker would have been able to gather is data about your Sonos system... your other Sonos speakers and their IP addresses on your network. They still don't have a way in to turn your Sonos speakers into bots or other attacking devices.
Funny how now Sonos is patching it's product next month. Though weird I am clueless and made a post way back when and I was the deadbeat.

Well enjoy.
https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325


This patch has absolutely nothing to do with your first post. You gloating over this is like stating an earthquake is imminent in Iowa and then coming back a year later to say "told you so" about a recent tornado warning.
Userlevel 4
removed, duplicate